iOS 7 forced VMware to rebuild, but company doubles down on Android.

SAN FRANCISCO—VMware's quest to virtualize the smartphone is gaining steam on Android, with some premium devices now getting access to the company's dual-persona technology.

VMware started talking about virtualizing Android smartphones back in late 2010. The idea is to run a second instance of Android on the phone inside a virtual machine, creating a secure workspace (a second "persona") that can be managed by a user's employer without affecting the user's personal items. VMware finally brought this software to market on the LG Intuition and Motorola Razr M in May of this year.

Today at the VMworld conference, VMware said dual-persona is ready for some of the most popular Android phones. "The list of smartphones supporting Horizon Workspace now includes the recently launched LG G2 that will be on all major US carriers, Motorola DROID family of smartphones (DROID Mini, DROID Ultra, and DROID Maxx), as well as HTC One through Verizon Wireless," VMware said in an announcement. "This adds to the expanding lineup of VMware Ready devices already in-market that includes the LG Intuition, Samsung Galaxy S3 and S4, Droid Razr HD, and Razr M by Motorola."

VMware formerly called its dual-persona technology "Horizon Mobile," but it recently dropped that name and bundled its product with Horizon Workspace, a broader product that includes access to virtual desktops, corporate Windows applications, and software-as-a-service applications.

Despite the name change, the dual-persona technology is available for the growing list of "VMware Ready" Android phones. "All those phones listed now have dual-persona capability," a VMware spokesperson confirmed.

We polled Ars readers last December about dual-persona phones, and a large majority of you either wanted one immediately or were interested in the idea. There are currently various options for dual-persona on phones, including BlackBerry's technology for its own phones as well as iOS and Android, and tools from companies such as Good Technology.

Horizon Workspace is sold directly to businesses, so if you're hot and heavy for using it on one of the newly announced dual-persona phones, you'll have to talk to your employer. The capability is built into the phones with a set of kernel modules that VMware provides to handset vendors, which can be deployed either before the phone is released or afterward through a software update. Consumers can buy the phones on their own as they normally would, but actually using the virtualization technology requires a business subscription.

Apple forces VMware to change course with iOS 7 upgrades

As for iOS, VMware's quest is slow going. Horizon Workspace is available for iPhones and iPads, but it lacks a dual-persona capability, even though the company announced one year ago that it would bring dual-persona tech to the iPhone. (We called it "vaporware," and so far we've been right.)

VMware had to take different approaches to iOS and Android because of the underlying architecture of the operating systems. It wasn't possible to run a hypervisor on iOS, so instead VMware planned on using Apple's enterprise deployment services to come up with something similar without actually using virtualization. VMware originally said the iOS tool would be a separate workspace containing "a collection of applications and data and services," with IT admins being able to set "policies on that workspace and be able to secure and manage it." The separate workspace would have its own productivity applications, such as e-mail, instead of relying on the native iOS apps.

VMware never got this working totally on iOS 6, so the company shifted to creating "application wrappers" that secure applications individually instead of deploying a whole separate workspace with its own set of applications. Even that ended up being made mostly obsolete by changes in iOS 7 that improve mobile device management, VMware mobile executive Srinivas Krishnamurti explained in a blog post last month.

New features from Apple include an API letting IT admins control which apps allow users to open attachments, per-application VPNs, Kerberos single sign-on at the application level, and the ability for IT admins to configure application settings. Krishnamurti explained:

Many of the capabilities that our Android solution offered—the ability to seamlessly push to or delete applications from the container, the ability to configure apps before provisioning them, the ability to run any third-party application as-is in the container, etc.—were simply not possible to implement on iOS 6.

The need for containers and application wrapping is vastly diminished with iOS 7. With the managed application feature, IT can prevent data leakage from the native e-mail client, so this negates the need for a separate e-mail/PIM application for corporate use. And with the per-app VPN, IT can now enable individual applications to have their own intranet access so this negates the need for application tunnels and a “secure” corporate browser. While there are a few other cases where app wrapping helps—for example, protecting cut/copy/paste across personal and corporate boundaries—it is fair to conclude that IT administrators can achieve their goals without leveraging app wrapping or containers and even offer a much better user experience. Further, IT administrators no longer have to plead with their ISVs to wrap or recompile the app with their chosen container technology.

"As Apple has provided a path to achieve MAM [mobile application management] support using native iOS 7 capabilities, we refocused the team to build upon that platform and deliver the application management and data leakage controls that customers require," Krishnamurti wrote. VMware's Horizon technology for iOS today includes no application wrapping capabilities, but "we will add iOS support in a future release by leveraging iOS 7 APIs."

But Android is still important to VMware's dual-persona plans, he wrote. "It is critically important to note that Android does not offer similar application management capabilities—and given its fragmentation, we believe Horizon Mobile (virtualization) is the right solution to make Android enterprise ready," Krishnamurti wrote.

“You can't do system-level innovation on iOS”

While VMware enthusiastically touted dual-persona technology at last year's VMworld, the company didn't mention it in either of its keynotes at the conference this week. When we asked today if there is much interest from customers, VMware CEO Pat Gelsinger said, "For Android devices, dual-persona is actually a pretty good approach. But it's one of the tools in the toolbox. There's also app wrapping and different app provisioning and de-provisioning technologies."

If not for the aforementioned changes to iOS, "we would have been more aggressive in using it," Gelsinger said. "But given some of those changes by Apple, it's less appropriate on Apple devices, so it's not as broadly useful as we once were hoping it might be."

Gelsinger said VMware will continue to work with phone vendors to expand access to dual-persona and similar technology. Tools that secure individual corporate applications and prevent data leakage may end up being as useful as those that create entirely separate workspaces for all of the applications and data a user needs, Gelsinger said. "App wrapping largely accomplishes some of the same things, just at the app level versus at the underlying device level with partitioning," he said.

While a full dual-persona system for iOS does not appear to be forthcoming, methods of securing individual applications by using Apple APIs should show up in the next release of Horizon Workspace, Krishnamurti told Ars today. (This technically is not a form of application wrapping, according to a VMware spokesperson.) The iOS 7 changes mean VMware won't be able to include certain features like preventing users from copying and pasting between certain apps, he said. But there's still plenty that can be done. For example, businesses could remotely wipe applications without touching the rest of the device, and it could enforce controls such as preventing the e-mail client from opening attachments in certain applications.

"You can't do system-level innovation on iOS because you have a set of APIs that Apple gives you," Kristhnamurti said. "We're going to leverage whatever Apple provides and all the APIs they provide to control the capabilities on the device."

Customers are excited about the new capabilities on Android and the ones planned for iOS, he said. "Mobile in general is hot with every single customer we talk to," he said.

Promoted Comments

The Android/iOS internet arguments always amuse me. It's quite obvious that many people are so blinded by their choice that they read everything through a filter.

For instance, this article quotes VMWare saying that because Android does not have application level security APIs, they needed to run a whole Android VM to achieve the necessary enterprise security for apps, while on iOS this is satisfied by built in APIs. Yet some posters here read it as "Android can run the VM while iOS can't, yay for Android".

When in actuality, the VMWare representative is saying essentially the opposite: that because of a lack of APIs (as well as fragmentation meaning even if the APIs were there they couldn't be counted on to exist on all phones) they had to create the VM solution, while on iOS they can simply use the included security APIs to achieve the same effect. Granted the APIs only came out in iOS 7, but within months >90% of iOS users will be on it and all new devices will ship with it so it's a moot point.

You could argue the downside is that if Apple hadn't added the features then it just wouldn't have been possible, but to read this article as a win for Android takes some serious mental gymnastics.

I've been excited about this for some time now, it opens up the possibility of only needing one phone, not one for work and one for personal reasons (aka I'm sick of lugging around a blackberry alongside my galaxy note 2)

Another victory for Android, not because it's simply android but because it's open source.

I don't think it's as straightforward as that.

The VMWare guy himself says you can already largely achieve all this with iOS7 and the experience will be better.

I don't agree with that assessment at all. The features added in iOS7 allow businesses to lock down the device just as well, but it does not allow for them to lock down the phone for business use, while leaving it completely open for personal use, like VMware and Blackberry allows you to do. The closest they can achieve is to lock-down things on an app-by-app basis. But if your work locks down an app for business use, then that app is also locked down for personal use, so you either have to live with those restrictions or install a different app for personal use. Since any security-minded business will lock-down all the built-in apps, that is pretty big impact on personal use.

Which way has a better user experience is subjective. With the apple way, you won't have to switch persona's every time you want to switch between accessing personal and business data. But you may have to switch applications, which means learning two ways of doing everything.

On some level I would rather have the items issolated through a suite of programs/apps rather than a second instance of an OS at this point but that is more to the point of efficiency of resources than security.

I've been excited about this for some time now, it opens up the possibility of only needing one phone, not one for work and one for personal reasons (aka I'm sick of lugging around a blackberry alongside my galaxy note 2)

You don't need virtualization for dual-persona schemes for home/work separation (software like Good and Mobile Iron already tackle that problem and they are both available for Android, iOS and for Windows Phone 7 and 8).

You just need an encrypted partitions to separate your data and remote management software and services for the workplace integration. Why do you need to waste system resources and power by running a 2nd instance of Android inside of a virtual machine?

Now if this was so that you run multiple copies of Android, that would be interesting. Maybe someone would want to run stock Android (or their device manufacturers' version), and something like Cyanogenmod concurrently for different features or to test upgrade, or nightly builds, et cetera. But that would really only be the domain of the enthusiast.

Apple does not permit this, so the newest secure environment for phones will not come to iOS.

They put a nice spin on the workaround being a lot of (unnecessary with Android) work for the IT department at those companies that go with "secure" iPhones hosting insecure apps and private data the employee may not wish to have exposed on the company phone side.

This announcement is a nice boost for the Android OS in the Enterprise workspace.

You don't need virtualization for dual-persona schemes for home/work separation (software like Good and Mobile Iron already tackle that problem and they are both available for Android, iOS and for Windows Phone 7 and 8).

You just need an encrypted partitions to separate your data and remote management software and services for the workplace integration. Why do you need to waste system resources and power by running a 2nd instance of Android inside of a virtual machine?

Now if this was so that you run multiple copies of Android, that would be interesting. Maybe someone would want to run stock Android (or their device manufacturers' version), and something like Cyanogenmod concurrently for different features or to test upgrade, or nightly builds, et cetera. But that would really only be the domain of the enthusiast.

So yes, the employee CAN run modded Android on their employer provided phone. No need to buy a second phone to enjoy the benefits of the modding community. The ability to mod their phone in any manner they like, as long as it does not compromise the work environment is the #1 advanatage. On the flip side IT can implement any kind of customized Android on the company side that provides the security and custom access that they feel is needed.

The alternate solutions do work ... with limitations not enjoyed by an independent OS instance.

You don't need virtualization for dual-persona schemes for home/work separation (software like Good and Mobile Iron already tackle that problem and they are both available for Android, iOS and for Windows Phone 7 and 8).

Yeah, and then you actually use Good or Mobile Iron and want to claw your eyes out.

This is absurdly easy to do with kvm on the cortex a15/a7.No reason to go with the overpriced vmware solution.If you don't need quite as much isolation, just have your sysadmin create an appropriate selinux policy and put selinux in enforcing mode. That gives you a very general solution that's not hardware dependent and has very little overhead (though not zero).

The Android/iOS internet arguments always amuse me. It's quite obvious that many people are so blinded by their choice that they read everything through a filter.

For instance, this article quotes VMWare saying that because Android does not have application level security APIs, they needed to run a whole Android VM to achieve the necessary enterprise security for apps, while on iOS this is satisfied by built in APIs. Yet some posters here read it as "Android can run the VM while iOS can't, yay for Android".

When in actuality, the VMWare representative is saying essentially the opposite: that because of a lack of APIs (as well as fragmentation meaning even if the APIs were there they couldn't be counted on to exist on all phones) they had to create the VM solution, while on iOS they can simply use the included security APIs to achieve the same effect. Granted the APIs only came out in iOS 7, but within months >90% of iOS users will be on it and all new devices will ship with it so it's a moot point.

You could argue the downside is that if Apple hadn't added the features then it just wouldn't have been possible, but to read this article as a win for Android takes some serious mental gymnastics.

Another victory for Android, not because it's simply android but because it's open source.

I don't think it's as straightforward as that.

The VMWare guy himself says you can already largely achieve all this with iOS7 and the experience will be better.

I don't agree with that assessment at all. The features added in iOS7 allow businesses to lock down the device just as well, but it does not allow for them to lock down the phone for business use, while leaving it completely open for personal use, like VMware and Blackberry allows you to do. The closest they can achieve is to lock-down things on an app-by-app basis. But if your work locks down an app for business use, then that app is also locked down for personal use, so you either have to live with those restrictions or install a different app for personal use. Since any security-minded business will lock-down all the built-in apps, that is pretty big impact on personal use.

Which way has a better user experience is subjective. With the apple way, you won't have to switch persona's every time you want to switch between accessing personal and business data. But you may have to switch applications, which means learning two ways of doing everything.

"Since any security-minded business will lock-down all the built-in apps, that is pretty big impact on personal use" <- That is pure laziness on the administrators part since Apple gives you app specific security.

I guess it depends on who is paying for the phone; the business or the employee. I know if it was my personal phone I would just tell my employer to piss off.

You don't need virtualization for dual-persona schemes for home/work separation (software like Good and Mobile Iron already tackle that problem and they are both available for Android, iOS and for Windows Phone 7 and 8).

You just need an encrypted partitions to separate your data and remote management software and services for the workplace integration. Why do you need to waste system resources and power by running a 2nd instance of Android inside of a virtual machine?

Now if this was so that you run multiple copies of Android, that would be interesting. Maybe someone would want to run stock Android (or their device manufacturers' version), and something like Cyanogenmod concurrently for different features or to test upgrade, or nightly builds, et cetera. But that would really only be the domain of the enthusiast.

So yes, the employee CAN run modded Android on their employer provided phone. No need to buy a second phone to enjoy the benefits of the modding community. The ability to mod their phone in any manner they like, as long as it does not compromise the work environment is the #1 advanatage. On the flip side IT can implement any kind of customized Android on the company side that provides the security and custom access that they feel is needed.

The alternate solutions do work ... with limitations not enjoyed by an independent OS instance.

First of all how many people are going to mod their phones? I would mod mine, but I'm probably in the minority. Secondly, can you mod your phone? If the Hypervisior is provided by VMware and the handset manufacturer they might prevent modding.

Also for the purposes of work/home separation that is simply overkill.

You don't need virtualization for dual-persona schemes for home/work separation (software like Good and Mobile Iron already tackle that problem and they are both available for Android, iOS and for Windows Phone 7 and 8).

Yeah, and then you actually use Good or Mobile Iron and want to claw your eyes out.

Admittedly they are crappy. We've deployed Good where I work and I just don't bother reading my work email anymore and have work-arounds for syncing my Calendar.

However, really a 2nd instance of Android and duplicate apps (e.g.: a mail app), means that you're using memory, CPU resources and draining your battery faster.

There are easier ways to create that work/home separation. The article says that Android lacks the API... but then who do Good and Mobile Iron (and now BES for the Android) manage to do it with their respective secure workspace partitions?

Of course VMware is going to push a hypervisor, because when you have a hammer, yadda, yadda, yadda... but the question is: is that necessary for the intended purpose?

What I'd rather see is something more like Touchdown that's actually got a nice interface. It maintains all of the important (at least to me) Exchange capabilities with complete lockdown according to the Exchange rules in place, yet only affecting the app itself.

It just happens to be ugly as sin, doesn't follow any of the Android UI guidelines and can be difficult as hell to find out how to do anything. Once you have found your way around the app it's not bad, but we still need a better interface for it.

Another victory for Android, not because it's simply android but because it's open source.

I don't think it's as straightforward as that.

The VMWare guy himself says you can already largely achieve all this with iOS7 and the experience will be better.

I don't agree with that assessment at all. The features added in iOS7 allow businesses to lock down the device just as well, but it does not allow for them to lock down the phone for business use, while leaving it completely open for personal use, like VMware and Blackberry allows you to do. The closest they can achieve is to lock-down things on an app-by-app basis. But if your work locks down an app for business use, then that app is also locked down for personal use, so you either have to live with those restrictions or install a different app for personal use. Since any security-minded business will lock-down all the built-in apps, that is pretty big impact on personal use.

Which way has a better user experience is subjective. With the apple way, you won't have to switch persona's every time you want to switch between accessing personal and business data. But you may have to switch applications, which means learning two ways of doing everything.

I don't deny that. My claim wasn't that the ios way was better. My claim was this scenario did not really show that either way was significantly better. Don't forget my comment was a response to someone claiming that this proved open source was better. And while I may agree with the sentiment, I don't think this situation proves that at all.

I would never use this sort of 'dual persona' where the workplace controls my whole device.

All business records are subject to government access. All your phone records are now business records. Way too creepy.

You would use this feature due to two different scenarios. One, your company has a bring your own device policy. Two, you are cheap and use your employers phone for personal use. In either scenario, your personal data is exposed unless you use some dual personality scheme.

However, your personal records are subject to government access. Just ask Ed Snowden.

The Android/iOS internet arguments always amuse me. It's quite obvious that many people are so blinded by their choice that they read everything through a filter.

For instance, this article quotes VMWare saying that because Android does not have application level security APIs, they needed to run a whole Android VM to achieve the necessary enterprise security for apps, while on iOS this is satisfied by built in APIs. Yet some posters here read it as "Android can run the VM while iOS can't, yay for Android".

When in actuality, the VMWare representative is saying essentially the opposite: that because of a lack of APIs (as well as fragmentation meaning even if the APIs were there they couldn't be counted on to exist on all phones) they had to create the VM solution, while on iOS they can simply use the included security APIs to achieve the same effect. Granted the APIs only came out in iOS 7, but within months >90% of iOS users will be on it and all new devices will ship with it so it's a moot point.

You could argue the downside is that if Apple hadn't added the features then it just wouldn't have been possible, but to read this article as a win for Android takes some serious mental gymnastics.

I must admit I actually think you are reading this through a bit of a filter as well (full disclosure I am typing this from a macbook pro and I have an iphone and ipad). While part of what you are saying is true, it really doesn't come down to A or B is better. Apple doesn't allow any kind of real innovation because they force everyone to use their API's, I would say this is a negative in general but that being said they did at least realise the need for this kind of thing and have now introduced API's that are helpful, helpful but certainly do not give the control VMware has managed to get on the Android platform. If you read carefully you will note they said the API's mean the product they were going to release for iOS has been left relatively useless which is true enough but that product was limited initially because of Apple's closed nature. I read this article as the relative failures of different strategic business models. I do however feel that Android's full dual persona VM is a neater solution but I'm sure that is up for some debate.

I suppose the question is: will this unpleasant to actually use, like most dual-persona systems, and will be much cheaper (holistically) than just giving your employee another handset?

Good, AirWatch, BlackBerry's BES10-for-iOS-and-Android and MobileIron are kind of klunky: they don't always let you use native PIM tools, app compatibility is dicey and they get in the way a lot.

The best implementation I've seen thusfar is BlackBerry Balance (the native solution for BlackBerry devices, not the grafted-on option for Android or iOS). It works fairly seamlessly, largely because support for it is written into the core OS. It's kind of a pity that there's so few BB10 apps because it's a really elegant solution.

iOS's APIs seem similar, but they also don't seem as absolute as Balance, which might make IT, Security and/or Legal departments in controlled industries nervous about doing BYOD. It also begs the question about how you handle apps that need to exist on both sides of the work/personal perimeter: say Mail, Calendar, Safari, or apps like salesforce.com? Can you have two separate instances of the same app (because you _know_ IT will want to lock versions on the work side)? Can the work side be wiped without affecting the personal side? Can you stop leakage from services like CopyAndPaste?

For instance, this article quotes VMWare saying that because Android does not have application level security APIs, they needed to run a whole Android VM to achieve the necessary enterprise security for apps, while on iOS this is satisfied by built in APIs. Yet some posters here read it as "Android can run the VM while iOS can't, yay for Android".

When in actuality, the VMWare representative is saying essentially the opposite: that because of a lack of APIs (as well as fragmentation meaning even if the APIs were there they couldn't be counted on to exist on all phones) they had to create the VM solution, while on iOS they can simply use the included security APIs to achieve the same effect. Granted the APIs only came out in iOS 7, but within months >90% of iOS users will be on it and all new devices will ship with it so it's a moot point.

While I agree that that the lack of security APIs probably drives the need for a VM on android, I don't necessarily think that the security API is a sufficient guarantee for certain enterprise use.

If it works for the company, great. But I won't be surprised if some would go for the a VM personal space that the enterprise Android instance would control. Making it so that the VM, as a whole, can't inspect memory of the host OS, maybe the actual desired behaviour.

Another victory for Android, not because it's simply android but because it's open source.

I think you misread the article, it says that security features are not available on Android as it is, so it presents VM with an opportunity to build, while iOS has these features already built-in (version 7).

The Android/iOS internet arguments always amuse me. It's quite obvious that many people are so blinded by their choice that they read everything through a filter.

For instance, this article quotes VMWare saying that because Android does not have application level security APIs, they needed to run a whole Android VM to achieve the necessary enterprise security for apps, while on iOS this is satisfied by built in APIs. Yet some posters here read it as "Android can run the VM while iOS can't, yay for Android".

When in actuality, the VMWare representative is saying essentially the opposite: that because of a lack of APIs (as well as fragmentation meaning even if the APIs were there they couldn't be counted on to exist on all phones) they had to create the VM solution, while on iOS they can simply use the included security APIs to achieve the same effect. Granted the APIs only came out in iOS 7, but within months >90% of iOS users will be on it and all new devices will ship with it so it's a moot point.

You could argue the downside is that if Apple hadn't added the features then it just wouldn't have been possible, but to read this article as a win for Android takes some serious mental gymnastics.

I'm sorry but I really think you didn't read this part , or your "worked out" mind chose to ignore:

"You can't do system-level innovation on iOS because you have a set of APIs that Apple gives you,"

If the built-in iOS APIs were "satisfying", this article wouldn't even exist.It doesn't take much mental gymnastics to realize that, you know...

If everyone does system-level innovation on iOS it would be fragmented just like Android.

"If the built-in iOS APIs were "satisfying", this article wouldn't even exist."

Yes because no one would ever complain about something that works just fine.

The Android/iOS internet arguments always amuse me. It's quite obvious that many people are so blinded by their choice that they read everything through a filter.

For instance, this article quotes VMWare saying that because Android does not have application level security APIs, they needed to run a whole Android VM to achieve the necessary enterprise security for apps, while on iOS this is satisfied by built in APIs. Yet some posters here read it as "Android can run the VM while iOS can't, yay for Android".

When in actuality, the VMWare representative is saying essentially the opposite: that because of a lack of APIs (as well as fragmentation meaning even if the APIs were there they couldn't be counted on to exist on all phones) they had to create the VM solution, while on iOS they can simply use the included security APIs to achieve the same effect. Granted the APIs only came out in iOS 7, but within months >90% of iOS users will be on it and all new devices will ship with it so it's a moot point.

You could argue the downside is that if Apple hadn't added the features then it just wouldn't have been possible, but to read this article as a win for Android takes some serious mental gymnastics.

What? You prefer a set of API which are limited and can be actually bypassed to a full OS in a virtual machine running completely separated?

Excuse me, but I think its the last one that companies and consumers want. Otherwise go ask Amazon and other cloud providers why they run virtualization instead of just limiting different customers with an API set. I don´t want to even start debating in terms of security of one vs the other one...

The idea is to run a full blown separate OS that is separated completely from the original system, you can´t possible compare this to installing apps and data in the same environment limited with some OS specific features. You are not even comparing apples to oranges here on how different these things are.

VmWare is a virtualization company and so they want to run a full virtual OS in the hardware, similar to how they do in desktops and servers, not fake virtualization that just emulates some OS restricted by some API set implemented in the original OS.

So excuse me but people are correct when they say Android can run it and iOS can´t. An API set is a completely different thing and while some companies are fine with that, a full separated OS which runs completely separated by virtualization is the real deal. iOS can probably run that, but it would need changes which would violate Apple agreements or VmWare needs to have them change code which Apple is not willing to do. Im 100% here that the legal restrictions are the problems, as opposed to Android where they can modify the whole source code if they want. Apple is never going to be friendly to anything that lets them bypass their own OS. And a virtual machine running in a phone is exactly that, it would not be long until people could run Android in the iPhone or the other way around and this is something Apple does not want.

They want to have control over their hardware with their own software, so I don´t think we are going to see ever virtualization running in some iPhone or iPad just because its the nature of Apples software.

Another victory for Android, not because it's simply android but because it's open source.

I think you misread the article, it says that security features are not available on Android as it is, so it presents VM with an opportunity to build, while iOS has these features already built-in (version 7).

That is a complete lie. There are plenty of apps that can implement security features with a rooted phone, in terms of what they do. Limit Internet, SMS, when they run, etc. Google is your friend. There are gazillions softwares that can do this, even very advanced firewalls, all on rooted phones. Also its not impossible to implement this in Android if you want because the code is open.

The reason it does not exists by default is exactly because of what I mentioned before. There are ways to do this even for the newbie consumer with a rooter phone and the right apps. You can spoof network and control absolutely everything an apps wants to do. There are so many app restricting options and security sets that this article would be to long to list all of them. Some even come installed already with rooted OS like Cyanogen.

So people that claim are missing the real fact on purpose. Does Android have this features by default? No. But there are like 1000 options to do this that are directly talking to the OS and kernel. Android is nothing more than Linux at the end of the day.

As someone who deals with BYOD on a daily basis for a number of clients, I have a suspicion that in the long term, this time of phone-hypervisor and/or partitioning and/or locking down of apps is going to be rendered moot by better employee electronic information policies.

If you deal with top secret/secure information, it's granted you are going to need a truly hard division for work / personal data but in my view the vast majority of people simply don't care that much. They want their particular flavor of iOS,Android,BB,WinPhone and (especially if the company pays the cell bill) they will sign a legally binding agreement saying "Hey, use this work phone for as much personal data as you want, but know the device and it's contents belong to the company and if need be it will be remotely wiped, including your vacation photos."

We know through the emergence of cloud services that people are willing to abdicate personal ownership of data for convenience and perceived cost savings. It applies to our desktops, laptops, music, movies etc. already. Big picture: Is a dual-persona phone a real need, or a manufactured one?